Decade-old cookie policy under review

Thursday - 5/28/2009, 7:26pm EDT

WFED's Jason Miller

OMB drafting new guidance to let agencies use function to better understand citizen Web behavior

Download mp3

By Jason Miller
Executive Editor
FederalNewsRadio

The Office of Management and Budget wants to reverse a decade-old policy that prohibits the use of persistent cookies on agency Web sites.

Mike Howell, OMB's deputy administrator of e-government and information technology, says the administration is looking at the policy to make it easier to move to a context driven government.

"The Office of Information and Regulatory Affairs and the E-Gov office are revisiting the policy," Howell says Thursday during a panel discussion at the Network Infrastructure conference in Falls Church, Va. Sponsored by 1105 Government Information Group.

"The reason is a lot of organization are telling us we need to improve ability to measure use of Web sites. They want to know what's good about them, what needs improvement. And to do that, we need Web analytics capabilities and in order to do that we have to overcome the current constraints of the cookie policy."

In 1999 under the Clinton administration, OMB prohibited the use of cookies unless the agency secretary approved the use and users were told up front that the site uses cookies.

Persistent cookies are pieces of code that tracks users' preferences or Web behavior.

"The policy originally was to prevent the fear of the government monitoring private citizens' use of the Internet," he says.

"We are not seeking personal or private information about them. If we put monitoring tools on Web sites, they will be clearly identified, and users will have a choice to opt out if they want to."

Howell says OMB still needs another month or two to complete the policy.

"Cookies are very commonly used around the world in the commercial sector so this is a case of the government trying to catch up," he says.

"A lot of people don't realize it that is being done on almost every Web site you visit."

Howell adds that most people are comfortable with cookies.

Several non-government groups and even a federal advisory board recommend that OMB revisit this policy.

The Information Security and Privacy Advisory Board (ISPAB) Thursday issued recommendations to update the Privacy Act of 1974 and other privacy policies. Included in those recommendations is revisiting the persistent cookies prohibition.

"Unquestionably, finding a balancing point in policy between privacy concerns and the ability to analyze and improve service delivery remains a difficult goal in both the private and government sectors," the ISPAB states in a letter to OMB director Peter Orszag.

"However, now that greater attention has been paid to the potential privacy risk from use of IP addresses, cookies and similar data, perhaps finding a proper balance can become a reality."

The committee supports the opt-in approach in OMB's draft policy.

"The new policy need not be so prescriptive that it requires constant definition of cookies and prompting of users, but a clear consent to the storage and use of information to help provide a particular service, such as the ‘remember me' check boxes common on many commercial Web sites," the letter states.

Howell says OMB is aware of the ISPAB's recommendations and will consider them as it further develops the policy.

OMB also is creating a set of policies around Web 2.0.

Howell says it is using the General Services Administration's initial Web 2.0 guidance as a starting point.

"It is a high priority for us to get through as soon as possible," he says.

"There is such pressure and demand for this capability and a request for guidance from agencies that we are trying to get on top of that."

A federal team of experts, including agency Web managers, GSA and OMB, are working on the guidance and will come up with a list of recommended policy updates to improve and guide agency use of Web 2.0.

Howell says GSA's recent agreements with social media sites such as YouTube, Flickr, My Space and others have caused some concern among agencies.

"We've heard two kinds of concerns," Howell says. "One is related to acquisition and how can other agencies legally use these agreements. The second is around privacy issues."

The Chief Information Officer's Privacy Committee is trying to address the second set of concerns.

Howell says the committee will come up with recommendations to either redo the terms and conditions and they will determine that the agreements can be adopted across the government without worry.

GSA says about 20 agencies already have signed the agreement with YouTube.

---
On the Web:

FederalNewsRadio -- Web managers meet fed new media superstars

OMB -- Persistent cookie policy

ISPAB -- Letter to OMB on privacy laws and policy updates (pdf)